There is no 100% safe software and the Internet of Things cannot be blamed for that. It is necessary to find “adequate” standards of safety meeting business and consumers’ needs.
As anticipated, I had a quite busy week speaking at 3 different conferences about topics that were connected to the Internet of Things. One of the most animated discussions pertained on the need to ensure that IoT devices are totally secure, especially after the recent cyber attacks.
My view is slightly different from the ones commonly adopted and is the following
There is no 100% secure software
As outlined in this blog post where I discussed about cyber risk insurance policies, 48.8 million cyber attacks occurred in 2014! This means more than 100k cyber attacks a day. My friend Pierluigi Paganini (one of the major European cyber security experts) in our presentation has very effectively emphasized that, despite of the investments in security, there will always be potential bugs in a software which represent a possible source of cyber attacks.
Regulators cannot require excessive standard of security
If the security measures required to companies are excessive in terms of required costs and investments, they will become a barrier to the entrance in the market and would prevent Internet of Things companies from launching their products before having found considerable investments. And in any case also considerable investments might not be sufficient to avoid a cyber attack as mentioned above.
Security standards have to be adequate and certain
I don’t want to be misunderstood. I am not saying that regulations should not oblige companies to comply with security standards. Privacy regulations already oblige to comply with a security standard that is adequate to the risk arising from processed data. And the sanctions for the breach of such obligation will become equal to 2%/5% of the breaching entity’s global turnover with the new EU Privacy Regulation.
But the question is
what is an adequate standard of security?
A standard of security might not appear to be inadequate just because there is a quite smart guy hacking a system. But the industry cannot afford such uncertainty and cannot afford too costly standards.
The Internet of Things industry needs certainty. This might be given by setting standards of security that are validated by public authorities and become a certification requirement for Internet of Things company.
I have been told that standardization bodies are sometimes slow in updating standards and keeping them up to date with the technological development. This might be true, but as they work in other industries, I don’t see the issue in developing the same approach for the IoT.
The compliance with the required certification would represent a substantial protection for companies investing in the Internet of Things against claims. At the same time, it will become easier to spot those that do not comply with such standards and need to be sanctioned.